Password-based Authentication

Password-based Authentication SBSeg 2007 Keynote Michel Abdalla Researcher École normale supérieure & CNRS

Alice Bob pkA pkB pkBsk = gsksk = pkAsk A A B B Diffie-Hellman protocol Let G be a group in which the DDH problem is hard and let g be a generator for G skA {0,…,|G|-1} pkA  gsk skB {0,…,|G|-1} pkB  gsk A B Protocol does NOT provide authentication

Authenticated Key Exchange (AKE) • Allow two parties to establish a common secret in an authenticated way • Intuitive goal: implicit authentication • The session key should only be known to the parties involved in the protocol • Formally: semantic security • the session key should be indistinguishable from a random string

Authentication techniques • Asymmetric techniques • Assume the existence of a public-key infrastructure • Each party holds a pair of secret and public keys • Symmetric techniques • Users share a random secret key • 2-party or 3-party settings • Password-based techniques • Consider the case of weak secrets (e.g., a 4-digit PIN) • Protocols are always subject to online guessing attacks

Password-based AKE (PAKE) • Realistic • Real-life applications usually rely on weak passwords • Convenient to use • Users do not need to store the secret • Comes at a cost • Protocols are always subject to online guessing attacks

Online dictionary attacks • Let D represent the set of possible passwords (i.e., dictionary) • As passwords need be memorized by humans, |D| is usually small • Online dictionary attack • Choose a password from D • Interact with authentication server using the guessed password • Each online attempt can succeed with probability 1/|D| • Counter measures against online attacks • Limit the number of unsuccessful attempts • Goal of password-based authentication • Restrict the adversary to online dictionary attacks only

Group Password-basedAKE (GPAKE) • Scenario • Similar to the 2-party case, except that … • Number of protocol participants is variable • Password is shared among all participants • Session key is shared among all participants • Security goals • Similar to the 2-party case: Allow a pool of users to established a common session key with only the help of passwords

Security model • Users can have many protocol instances running concurrently • Communication may be controlled by the adversary • Adversary can create, modify, or forward messages • The transmission of messages is done via specific oracle queries • Adversary is given oracle access to all user instances and can corrupt some of them • Protocol is considered secure if the session key held by a honest user cannot be distinguished from a random key

Outline • Review of PAKE schemes • History of GPAKE scheme • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks

Background: Ideal models • Random oracle model [BellareRogaway93] • Perhaps the most used ideal model in cryptography • The hash function is modeled as a perfectly random function • Random permutation model • Similar to the random-oracle model, but with a permutation instead of a function • Ideal cipher model • An extension of the random-permutation model • A block cipher is seen as a family of truly random and independent permutations (for each key) • Standard model • None of the above

Brief history of PAKE schemes • [BelMer92]: Encrypted Key Exchange (EKE) • Seminal work, no proofs • [BelPoiRog00,BoyMacPat00] • Formal security models • Protocols in the ideal-cipher and random-oracle models • [GolLin01] • Non-concurrent protocol in the standard model • [KatOstYun01,GenLin03,CHKLM05] • Efficient protocols in the CRS model • [BR00,BCP03/04,CatPoiPor04,MacKenzie02,AbPo05] • Efficient EKE and OKE protocols in the RO model

Alice Bob = pwAlice,Bob x Zp X  gx y Zp Y  gy Alice, X=Enc(X) Bob, Y=Enc(Y) Y  Dec(Y) K  Yx X  Dec(X) K  Xy SK  H(Alice,Bob,,X,Y,K) Encrypted Key Exchange [Bellovin & Merritt, 1992] • Flows are encrypted with the password

EKE instantiations • [BPR00,BCP03] • Enc = Ideal cipher • H = Random oracle • [MacKenzie02,BCP04] • Enc = Random oracle • H = Random oracle • [AbPo05] • Encpw(X) = X  hpw • H = Random oracle

Simple PAKE [AbPo05] Alice Bob = pwAlice,Bob x Zp X  gx y Zp Y  gy Alice, X= X  A Bob, Y= Y  B Y  Y/ B K  Yx X  X / A K  Xy SK  H(Alice,Bob,,X,Y,K)

Security of simple PAKE • Theorem: If the DDH problem is hard, then the protocoldescribed in the previous slide is a secure PAKE protocol in the random-oracle model. • Proof: see [AbPo05]

PAKE in the standard model: The Gennaro-Lindell Construction • Design is not as simple as EKE • Requires several different tools • One-time signatures • Non-malleable encryption schemes • Smooth projective hash functions

Smooth projective hash functions[GL03 variant]: Algorithms • Hash key generation: hk = HK(pk) • pk – public encryption key, hk – hashing key • Projected key generation:hp = (hk, c) • hk – hashing key, hp – projected key • Hashing algorithm:H(hk, m, c)  G • m – message, c – ciphertext, hk – hashing key • Projected hashing algorithm:h = h(hp, m, c; r) • hp – projected key, r – random used to generate c

Smooth projective hash functions[GL03 variant]: Security properties • Correctness: • If c = E(pk,m;r), then (m,c,hp) uniquely determines H(hk,m,c) • When c = E(m;r), H(hk,m,c) can be computed efficiently given r h(hp,m,c; r) = H(hk,m,c) • Smoothness: • If c is not an encryption of m,then (m, c, hp) gives no information (statistically) on H(hk,m,c) • Pseudo-randomness: • When c=E(m;r) and hp=(hk,c),then H(hk,m,c) is pseudo-random given only (m,c,hp)

The Gennaro-Lindell Construction Alice Bob Alice, vkR, cR skR, vkR Sig-KG cR Epk(pw  vkR; rR) skL, vkL Sig-KG hkL hashKey hpL(hkL, cR, vkR) cL Epk(pw  vkL; rL) Bob, hpL, vkL, cL hkR hashKey hpR(hkR, cL, vkL) R Sign(skR,Transcript) hpR, R L Sign(skL,Transcript) L KR HhkL(pw, vkR, cR) KL hhpR(pw, cL, vkL; rL) KL HhkR(pw, vkL, cL) KR hhpL(pw, cR, vkR; rR) SK  KL◦ KR

Outline • Review of PAKE schemes • History of GPAKE schemes • A Simple GPAKE protocol • A generic GPAKE protocol • Concluding remarks

Brief history of GAKE schemes • [BurDes94, BurDes05]: • Constant-round group Diffie-Hellman key exchange • Passive attacks, security based on CDH • [KatzYung03] • Proof of security for BD protocol based on DDH • Generic compiler from GKE to GAKE using signatures • [KimLeeLee04] • A variant of the BD protocol using random oracles and XOR operations • [Joux00] • A One Round Protocol for Tripartite Diffie-Hellman • [LiPieprzyk99,BreCat04] • Conference key agreement from secret sharing • [BoydNieto03, JeongKatzLee04, …] • Round-Optimal contributory key agreement

The Burmester-Desmedt Group Key Exchange [BD94]   P1 Pi PN x1 Zp X1  gx1 xi Zp Xi  gxi xN Zp XN  gxN X1 Xi XN K1  X2x1 KN  XNx1 Z1 K1 / KN KN  X1xN KN-1  XN-1xN ZN KN / KN-1 Ki  Xi+1xi Ki-1  Xi-1xi Zi Ki / Ki-1 Zi Z1 ZN SK K1◦ K2 ◦  ◦ KN

The Kim-Lee-Lee Group Key Exchange [KLL04]   P1 Pi PN s1 $ x1 Zp X1  gx1 si $ xi Zp Xi  gxi sN $ xN Zp XN  gxN X1 Xi XN K1  H(X2x1) KN  H(XNx1) Z1 K1  KN T1  s1 KN  H(X1xN) KN-1  H(XN-1xN) ZN KN  KN-1 TN  KN  sN Ki  H(Xi+1xi) Ki-1  H(Xi-1xi) Zi Ki  Ki-1 Ti  si Zi Ti Z1 T1 ZN TN SK  H2(s1 s2    sN)

A generic version of the Burmester-Desmedt protocol   Pi-1 Pi Pi+1 KE KE Ki Ki Ki-1 Ki-1 Zi-1  Ki-1 / Ki-2 Zi  Ki / Ki-1 Zi+1  Ki+1 / Ki Zi-1 Zi Zi+1 SK K1◦ K2 ◦  ◦ KN

KE KE Ki-1 Ki-1 Ki Ki A generic version of theKim-Lee-Lee protocol   Pi-1 Pi Pi+1 PN si-1 $ si $ si+1 $ sN $ Zi-1 Ki-1  Ki-2 Ti-1  si-1 Zi Ki  Ki-1 Ti  si Zi+1 Ki+1  Ki Ti+1  si+1 ZN KN  KN-1 TN  KN  sN Zi-1 Ti-1 Zi Ti Zi+1 Ti+1 ZN TN SK  H2(s1 s2    sN)

Previous work on GPAKE • [BreChePoi02, BreChePoi05]: • Group Diffie-Hellman password-based key exchange • Linear number of rounds • [LeeHwangLee04] • Based on the Kim-Lee-Lee GAKE protocol • Proven secure in the random-oracle model • Broken in [ABCP06] • [DuttaBarua06] • Based on the Kim-Lee-Lee GAKE protocol • Proven secure in the random-oracle and ideal-cipher models • Broken in [ABCP06] • [ABCP06], [TangChoo06] • Based on the Burmester-Desmedt protocol • Proven secure in the ideal-cipher and random-oracle models

More recent work on GPAKE • [KwonJeongLee06] • Simplification of [ABCP06] protocol • Proven secure in the “standard model” • Apparently insecure (work in progress) • [AbdallaPointcheval06] • Based on the Gennaro-Lindell PAKE protocol • Proven secure in the standard model • [BohliGonzalezSteinwandt06] • Proven secure in the standard model • Similar to [AbdallaPointcheval06], but more efficient • [ABGS07] • Generic compiler from 2-party to group • Proven secure in the standard model

Adding password authentication to the BD protocol • EKE approach • Encrypt all flows using the password pw • Xi= pw(Xi), Zi= pw(Zi) • Problem • In the BD protocol, Z1◦Z2◦ ◦ ZN = 1 • Dictionary attack • Guess password pw • Compute Zi= Dpw(Zi) for i=1,,N • Check if Z1◦Z2◦ ◦ ZN = 1

The Dutta-Barua GPAKE Protocol [DB06]   P1 Pi PN s1 $ x1 Zp X1  gx1 si $ xi Zp Xi  gxi sN $ xN Zp XN  gxN Epw(X1) Epw(Xi) Epw(XN) K1  H(X2x1) KN  H(XNx1) Z1 K1  KN T1  s1 KN  H(X1xN) KN-1  H(XN-1xN) ZN KN  KN-1 TN  KN  sN Ki  H(Xi+1xi) Ki-1  H(Xi-1xi) Zi Ki  Ki-1 Ti  si E’’pw(TN) E’pw(Z1T1) E’pw(ZiTi) SK  H2(s1 s2    sN)

An attack against the Dutta-Barua GPAKE protocol • Problem • All flows are encrypted under the same key • Attack • Let P1 and P2 be honest users • Attacker will play the role of P3 • Attacker waits for P1 and P2 to broadcast X1*=Epw(X1) and X2*=Epw(X2) • Attacker sets X3*=X1* (This implicitly sets x1=x3) and broadcasts it • This causes K1=K2 and Z2=0 • Hence, T2*=Epw(0s2)  Dictionary attack!

An attack against the Dutta-Barua GPAKE protocol P1 P2 P3 s1 $ x1 Zp X1  gx1 s2 $ x2 Zp X2  gx2 This implicitly sets x3=x1 Epw(X1) Epw(X2) Epw(X1) K1  H(X2x1) K3  H(X1x1) Z1 K1  K3 T1  s1 K2  H(X1x2 ) K1  H(X1x2) Z2 K2  K1= 0 T2  s2 Dictionary Attack!!! E’pw(Z1  T1) E’pw(0  T2)

The Lee-Hwang-Lee GPAKE protocol [LHL04]   P1 Pi PN x1 Zp X1  gx1 xi Zp Xi  gxi xN Zp XN  gxN Epw(X1) Epw(Xi) Epw(XN) K1  H(X2x1) KN  H(XNx1) Z1 K1  KN KN  H(X1xN) KN-1  H(XN-1xN) ZN KN  KN-1 Ki  H(Xi+1xi) Ki-1  H(Xi-1xi) Zi Ki  Ki-1 Z1 Zi ZN SK  H(K1 K2    KN)

An attack against the Lee-Hwang-Lee GPAKE protocol P1 P2 P3 P4 Epw(X1) Epw(X’1) Epw(X1) Epw(X’1) X1  gx1 K1 = K2 = K3 = K4 = H(X’1x1) 0 0 0 0 SK  H(K1 K2  K3  K4) P’1 P’2 P’3 P’4 Epw(X’1) Epw(X1) Epw(X’1) Epw(X1) X’1  gx1’ K’1 = K’2 = K’3 = K’4 = H(X1x1’) 0 0 0 0 SK’  H(K’1 K’2  K’3  K’4)

A simple GPAKE protocol: Intuition • Add an extra flow of random nonces ri at the beginning of the each sessionS = P1 r1  PN rN • Use a different encryption key for each user and session to avoid replaying of messagespwi = H(pw  S i) • Only encrypt the flow containing the values Xi to avoid dictionary attacks • Add an authentication flow to avoid malleability attacksAuthi = H’(S X1* Z1  XN* ZN  SK  i)

A simple GPAKE protocol: Construction [ABCP06]   P1 Pi PN r1 $ ri $ rN $ P1, r1 Pi, ri PN, rN x1 Zp X1  gx1 xi Zp Xi  gxi xN Zp XN  gxN Epw1(X1) Epwi(Xi) EpwN(XN) K1  X2x1 KN  XNx1 Z1 K1 / KN KN  X1xN KN-1  XN-1xN ZN KN / KN-1 Ki  Xi+1xi Ki-1  Xi-1xi Zi Ki / Ki-1 Z1 Zi ZN Auth1 Authi AuthN Session Key  H’’(Transcript  SK) SK  K1◦ K2 ◦  ◦ KN

A simple GPAKE protocol: Security • Theorem: If the DDH problem is hard, then the protocoldescribed in the previous slide is a secure GPAKE protocol in the random-oracle and ideal-cipher models • Proof: see [ABCP06]

A generic GPAKE protocol [ABGS07]: Intuition • Generate Ki using a (2-party) PAKE • Each user authenticates its neighbors • Commit to Zi before making it public • Commitment should be non-malleable • Use the fact that Z1◦ …◦ ZN = 1 for verification

A generic GPAKE protocol Pi-1 Pi Pi+1 AKE AKE Ki-1 Ki-1 Ki Ki Zi-1  Ki-1  Ki-2 Zi  Ki  Ki-1 Zi+1  Ki+1  Ki Com(Zi-1 i-1; ri-1) Com(Zi I; ri) Com(Zi+1i+1; ri+1) Zi-1, ri-1 Zi, ri Zi+1, ri+1 SK  UH(K1, ,KN,Transcript) Session Key  FSK(0)

Advantages of generic construction • Allows a modular design approach • Transformation is reasonably efficient • No ideal assumptions • Non-interactive non-malleable commitments • Family of collision-resistant pseudorandom functions [Katz-Shin 05] • Family of universal hash functions • Simpler proof of security

Concluding remarks • Recap • Attacks against previous constructions [ABCP06] • A simple construction in the IC and RO models [ABCP06] • A generic GPAKE construction [ABGS07] • The design of password-based protocols can be tricky • Small modifications to the protocol can make them insecure • The only way to be sure is to provide a security proof • Password-based authenticated key exchange remains a very active area

Future directions • More efficient constructions in the standard model • Stronger security guarantees • universal composability • Stronger corruption models

Password-based Authentication